On Tuesday, March 22, 2022, threat actor group Lapsus$ posted screenshots in their Telegram channel of what they claim to be Okta customer data.
Okta is a leading provider of authentication services and Identity and Access Management (IAM) solutions. They’re used by organizations worldwide as a single sign-on (SSO) provider, allowing employees to securely access a company’s internal systems, such as email accounts, calendars, applications and more.
Screenshots within the Telegram channel show a timestamp on the system of January 21, 2022, which may indicate this was the date of the breach. Okta’s CEO Todd McKinnon confirms that Okta detected “an attempt to compromise the account of a third-party customer support engineer” in January. Furthermore, he states, “We believe the screenshots shared online are connected to this January event.”
Lapsus$ has previously claimed responsibility for the leaked proprietary data of companies such as NVIDIA and Samsung. Unlike ransomware groups, Lapsus$ does not encrypt data once they gain access. Instead, they exfiltrate the data and threaten to publish what they’ve gathered if demands are not met. The group began by focusing on Latin American victims and some security researchers suspect the group is based in Latin America.
Okta’s public statement says they remain fully operational. When they detected an unsuccessful attempt to compromise the account of the third-party engineer, they “alerted the third-party provider to the situation, while simultaneously terminating the user’s active Okta sessions and suspending the individual’s account.” They are actively continuing their investigation, including identifying and contacting those customers that may have been impacted. Okta says there is no impact to Auth0 customers, HIPAA and FedRAMP customers.
As an Okta customer, Nuspire has implemented all of the below recommendations, including rotating passwords, certificates and API keys related to our Okta infrastructure. Nuspire is also actively threat hunting for signs of suspicious Okta activity internally and in our client environments.
Nuspire recommends you take the following actions: